Rules

#rules Below we apply basic rules to help explain the expected output when using rules. | WORD | RULE | OUTPUT | | -------- | ---- | ------ | | password | $1 | passwordl | | password | ,...,,...1 | l!password | | password | so0 sa@ | p@ssw0rd | | password | c so0 sa@ $1 | P@ssw0rdl | | password | u r | DROWSSAP | ##### MASKPROCESSOR HASHCAT-UTIL https://github.com/hashcat/maskprocessor Maskprocessor can be used to generate a long list of rules very quickly. Example rule creation of prepend digit and special char to dictionary candidates (i.e. "1 "! , "2 "@ , ... ): ``` mp64.bin '"?d "?s' -o rule.txt ``` Example creating rule with custom charset appending lower,uppercase chars and all digits to dictionary candidates (i.e. $a $Q $1 , $e $ A $2, ... ): ``` mp64.bin -1 aeiou -2 QAZWSX '$?1 $?2 $?d' ``` GENERATE RANDOM RULES ATTACK (i.e. "Raking") ``` hashcat -a 0 -m #type -g <#rules> hash.txt dict.txt ``` GENERATE RANDOM RULES FILE USING HASHCAT-UTIL ``` generate-rules.bin <#rules> <seed> I ./cleanup-rules.bin [l=CPU,2=GPU] > out.txt generate-rules.bin 1000 42 I ./cleanup-rules.bin 2 > out.txt ``` SAVE SUCCESSFUL RULES/METRICS ``` hashcat -a 0 -m #type --debug-mode=l --debug-file=debug.txt hash.txt -r rule.txt ``` SEND RULE OUTPUT TO STDOUT / VISUALLY VERIFY RULE OUTPUT ``` hashcat dict.txt -r rule.txt --stdout john --wordlist=dict.txt --rules=example --stdout ``` | HASHCAT INCLUDED RULES | Approx # Rules | | ----------------------- | -------------- | | Incisive-leetspeak.rule | 15,487 | |InsidePro-HashManager.rule| 6,746| |InsidePro-PasswordsPro.rule| 3,254 | |T0XlC-insert_00-99_1950-2050_toprules_0_F.rule| 4,019 | |T0XlC-insert_space_and_special_0_F.rule| 482 | |T0XlC-insert_top_100_passwords_l_G.rule |1,603 | |T0XlC.rule| 4,088 | |T0XlCv1.rule |11,934 | |best64.rule| 77 | |combinator.rule| 59 | |d3ad0ne.rule |34,101 | |dive.rule |99,092 | |generated.rule |14,733 | |generated2.rule| 65,117 | |leetspeak.rule |29 | |oscommerce.rule |256 | |rockyou-30000.rule |30,000 | |specific.rule |211 | |toggles1.rule |15 | |toggles2.rule |120 | |toggles3.rule |575 | |toggles4.rule |1,940 | |toggles5.rule| 4,943 | |unix-ninja-leetspeak.rule |3,073| | JOHN INCLUDED RULES | Approx # Rules | | -------------------------------------------------- | --------------- | | | | | All (Jumbo + KoreLogic) | 7,074,300 | | Extra | 17 | | Jumbo (Wordlist + Single + Extra + NT + OldOffice) | 226 | | KoreLogic | 7,074,074 | | Loopback | (NT + Split) 15 | | NT | 14 | | OldOffice | 1 | | Single | 169 | | Single-Extra (Single + Extra + OldOffice) | 187 | | Split | 1 | | Wordlist | 25 | | | | | | | http://www.openwall.com/john/doc/RULES.shtml #### Effective Rules ##### D3adH0b0 Rules This ruleset is much more extensive and utilizes many common password structure ideas seen across every industry. Looking to spend several hours to crack many more hashes? Use this list. ``` hashcat -a 0 -m 1000 <NTLMHASHES> wordlists/english.txt -r d3adhob0.rule -o cracked.txt ``` This ruleset contains 64 of the most frequent password patterns used to crack passwords. Need a hash cracked quickly to move on to more testing? Use this list. ``` hashcat -a 0 -m 1000 <NTLMHASHES> wordlists/rockyou.txt -r hob064.rule -o cracked.txt ``` ##### KoreLogic Rules These rules were originally created for the tool John the Ripper. KoreLogic performed a very rough translation to rules that can be understood by the 'hashcat' tool. The rules below can be downloaded, placed in hashcat's /rules/ directory and accessed via the command line using the -r command line option. This is _not_ a complete list of all rules that was used for the contest, but a subset of rules that were easy to convert to hashcat format. ##### Not_So_Secure Rules OneRuletoRuleThemAll The rule file is a combination of rules from various sources: 1. [https://github.com/praetorian-inc/Hob0Rules](https://github.com/praetorian-inc/Hob0Rules) (d3adhob0.rule, hob064.rule) 2. [http://contest-2010.korelogic.com/rules-hashcat.html](http://contest-2010.korelogic.com/rules-hashcat.html) (KoreLogicRulesPrependRockYou50000) 3. [https://github.com/NSAKEY/nsa-rules](https://github.com/NSAKEY/nsa-rules) (NSAKEY.v2.dive.rule) 4. [https://github.com/hashcat/hashcat/](https://github.com/hashcat/hashcat/) oclHashcat v1.20 (by 5. [https://github.com/evilmog](https://github.com/evilmog)) (generated2.rule) ##### NSA_rules [[NSAKEYv1diverule]] is the first version of the rule set which was used to compete against dive.rule. It has 123289 rules, just like the real dive.rule. [[NSAKEYv2diverule]] is the improved version of an attempt to compete against dive.rule. You can use "head -n X" (With X being a number between 1 and 123289) and the output to another file if you want to create a smaller rule set. [[nsa64rule]] is the first 64 rules from _NSAKEY.v2.dive.rule. For the record, it cracked 42% of the Battlefield Heroes Beta hashes. best64.rule is unquestionably better, but maybe this set of rules will be helpful to someone.